Passwords have long been and still remain the main, and in most cases, the only, authentication method for online services on the Internet. This is largely due to ease of deployment by website owners and accessibility to all users. However, this method of authentication is vulnerable to a number of weaknesses. For example, passwords should be long enough to be secure, while being short enough to be memorable. Passwords should look random to be secure, while looking meaningful to be memorable. Passwords are susceptible to phishing and key logging attacks. Once stolen, passwords allow an attacker to gain access to the system the password is supposed to protect by impersonating the legitimate user.
With the rapid movement of important activities (like banking) to the online world, along with the migration of less technically savvy people to the online world, the previously described weaknesses of passwords make them increasingly unsuitable for user authentication.
One straightforward solution to this problem is based on reformulating the existing problem as “just a password is not enough” and adding more factors of authentication. There are three known factors of authentication:                knowledge factor—something the user knows;        possession factor—something the user has; and        inherence factor—something the user is.        
A password is a knowledge factor. Two factor authentication (TFA) requires the user to present two pieces of evidence that belong to two of the three categories above (factors).
The second factor that is typically added is a possession factor. Many current TFA mechanisms require the use of a security token, a small hardware device that is issued to users and displays a seemingly random number that changes periodically. When logging in to a website, the user in addition to the traditional username and password has to enter the number displayed on the security token (access code). One example of such token is RSA SecureID®.
Another TFA implementation uses a USB token that needs to be plugged into a USB port of a computer. The token supplies the access code directly to the computer saving the user the need to re-type the access code by hand.
Security schemes based on hardware tokens are successful in strengthening security, however they have not enjoyed mass market adoption due to the obvious inconvenience for the user of carrying a rarely used device (and in some implementations, having to re-type numbers every time a user logs in) and the cost of deployment of such a scheme.
The inconvenience of carrying around another device is mitigated and deployment cost is substantially reduced by use of software tokens that are implemented as Smartphone applications installed on mobile devices that users already carry. One example of such a software token is Google Authenticator®. It is a mobile application for Android®, iOS®, and BlackBerry® Smartphone platforms that generates time-based one-time passwords, just like dedicated hardware tokens. In this scheme, the mobile phone is a possession factor. No need to buy another device, no need to carry another device, but the user still has to transcribe the access code from his mobile phone screen to a separate computer.
Probably the most widely used (to date) TFA method is based on SMS codes. After a user successfully presents a knowledge factor (e.g., username and password), a text message is sent to his mobile phone. The message contains a code that the user needs to transcribe back to the browser window on a separate computer. This solution is more accessible than soft tokens since it works on all mobile phones, not just Smartphones, and doesn't require installing any applications on the mobile phone. However, it is still inconvenient from a user's perspective as it requires one to obtain codes from the screen of one device and type them into another device. This makes for a lengthy login. The approach also incurs costs for the provider who has to pay for the SMS message sent to user phones.
A new TFA method builds on the growing adoption of Smartphones, the always connected, always-with-me devices. An application is installed on a user's Smartphone. After successful verification of a knowledge factor (e.g., a user name and a password) through a computer, a push notification is sent to the user's Smartphone. The application wakes up and asks the user to confirm login. The user taps the “Confirm” button and access is granted on the user's computer. This method is already employed by companies Toopher®, Duo Security®, Accells®, and Phonefactor®. By eliminating the need to re-type codes, this new TFA method makes a user's life much easier than older TFA methods. However, the passwords still keep their place as the primary authentication factor.
In view of the foregoing, it would be desirable to provide a more convenient, and yet still secure, authentication technique.